Anonymous identity verification method and system
By combining indicator vectors and auxiliary vectors with elliptic curve cryptography to create a ring signature scheme, the problems of excessively large signature size and security dependence on trusted third parties in existing technologies are solved. This enables anonymous authentication in a blockchain distributed storage environment, reduces the signature size to the logarithmic level, and supports efficient verification.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
- Filing Date
- 2025-10-30
- Publication Date
- 2026-07-09
AI Technical Summary
Existing ring signature schemes have excessively large signature sizes and high storage costs in distributed scenarios such as blockchain, and their security relies on trusted third parties, making them unsuitable for distributed storage environments.
A novel ring signature implementation scheme is adopted, which generates an indicator vector and an auxiliary vector, and combines elliptic curve cryptography and blinding techniques to generate a signature value, a blinding value, and a commitment value. This ensures that the signature size is small and supports distributed storage. Bulletproofs inner product proof technology is used to reduce the signature size to the logarithmic level.
It enables efficient anonymous authentication without exposing account identity, reduces signature size to logarithmic level, supports distributed storage environments, and does not disclose account information during the verification process.
Smart Images

Figure CN2025131194_09072026_PF_FP_ABST
Abstract
Description
Anonymous authentication methods and systems
[0001] This application claims priority to Chinese patent application filed with the State Intellectual Property Office of China on December 31, 2024, application number 2024119991809, entitled "Anonymous Identity Verification Method and System", the entire contents of which are incorporated herein by reference. Technical Field
[0002] This specification relates to one or more embodiments of data privacy protection, and more particularly to methods and systems for anonymous identity verification and authentication in privacy-preserving scenarios. Background Technology
[0003] Blockchain technology is an application model that utilizes computer technologies such as peer-to-peer transmission, consensus mechanisms, and encryption algorithms to achieve distributed data storage. In a blockchain network, data storage and recording are achieved through transactions. The content of each transaction is jointly maintained by all nodes in the blockchain network, and no single party can tamper with the content of a block. Furthermore, blockchain uses encryption technology to ensure the security and anonymity of transactions.
[0004] In some scenarios, for privacy protection and / or access control purposes, users need to prove their identity anonymously, such as belonging to a set of authorized accounts. For example, in a blockchain scenario, a user might want to sign a transaction without revealing their identity.
[0005] Therefore, we hope to provide an effective solution that can achieve anonymous identity verification. Summary of the Invention
[0006] This specification describes one or more embodiments of an anonymous authentication method in which an account acting as the certifier can conceal its identity within a set of accounts through a ring signature, while proving that it belongs to this set of accounts, thereby achieving anonymous identity proof and verification.
[0007] According to the first aspect, an anonymous authentication method is provided, performed by a first device, comprising:
[0008] Based on the index of the first account in the target account set, a binary indicator vector and an auxiliary vector with a predetermined relationship are generated; based on the indicator vector, the auxiliary vector, and the first private key of the first account, a first signature value C is generated; wherein, the target account set is identified by a corresponding public key sequence;
[0009] Based on the first random number selected by the verification device and the public key sequence, calculate the first public key vector, and based on the first public key vector and the random array selected by the party, calculate the blinding value;
[0010] Based on the indication vector, the auxiliary vector, and the challenge array selected by the verification device, two vector polynomials and the result polynomial generated by their inner product are generated, and based on the coefficients of the result polynomial, a first set of commitment values is generated.
[0011] The variable value x selected by the verification device is substituted into the two vector polynomials, and a second set of commitment values is generated based on the calculation results of the substitution.
[0012] The first signature value, the blinding value, the first set of commitment values and the second set of commitment values are provided to the verification device for the verification device to verify whether the first account belongs to the target account set.
[0013] According to one implementation, at least one of the first random number, the random array, and the variable value is received from a verification device.
[0014] According to another implementation, at least one of the first random number, the random array, and the variable value is generated based on the data source and generation algorithm specified by the verification device.
[0015] In one embodiment, the first account is an account in the blockchain system, the verification device is a device corresponding to the ledger node in the blockchain, and the method further includes the verification device verifying that the first account belongs to the target account set and writing the first transaction issued by the first account into the blockchain.
[0016] According to one implementation, the aforementioned generation of the first signature value specifically includes: obtaining the first signature value based on the product of the first data item, the second data item, and the third data item, wherein the first data item is determined with the first target generator as the base and the first private key as the exponent; the second data item is determined with the first generator vector as the base and the indicator vector as the exponent; and the third data item is determined with the second generator vector as the base and the auxiliary vector as the exponent.
[0017] According to one embodiment, calculating the first public key vector specifically includes: using the initial public key vector corresponding to the public key sequence as the base and the first random number as the exponent to calculate an intermediate vector; multiplying the intermediate vector by the first generator vector bitwise to obtain the first public key vector.
[0018] In a further embodiment, the random array selected by this party includes first and second blinding vectors, and a second random number; the aforementioned calculation of the blinding value specifically includes: obtaining the blinding value based on the product of the fourth data item, the fifth data item, and the sixth data item, wherein the fourth data item is determined with the second target generator as the base and the second random number as the exponent; wherein the second target generator is determined based on the first target generator, the first random number, and the basic generator used to generate the public key sequence; the fifth data item is determined with the first public key vector as the base and the first blinding vector as the exponent; and the sixth data item is determined with the second generator vector as the base and the second blinding vector as the exponent.
[0019] According to one implementation, the random array selected by the present party includes first and second blinding vectors; generating two vector polynomials includes: based on the indicator vector and the challenge array, introducing the product of the first blinding vector and the variable to obtain a first vector polynomial; based on the auxiliary vector and the challenge array, introducing the product of the second blinding vector and the variable to obtain a second vector polynomial.
[0020] In one embodiment, generating a first set of commitment values specifically includes: calculating the coefficient values of the linear terms of the resulting polynomial based on the challenge array, generating a first commitment value T1 based on the linear term coefficient values and a locally generated third random number; calculating the coefficient values of the quadratic terms of the resulting polynomial based on the challenge array, and generating a second commitment value T2 based on the quadratic term coefficient values and a locally generated fourth random number.
[0021] Furthermore, in one embodiment, generating a second set of commitment values based on the substitution calculation results includes: obtaining two target vectors obtained by substituting the variable value x into the two vector polynomials, and the result value obtained by substituting it into the result polynomial; generating a first verification value according to the third random number, the fourth random number, and the variable value; generating a second verification value according to the variable value and the first private key; generating a third verification value according to the variable value and the random array selected by the party; and determining the second set of commitment values, which includes the two target vectors, the result value, the first verification value, the second verification value, and the third verification value.
[0022] According to the second aspect, an anonymous authentication method is provided, including:
[0023] The first device generates a binary indicator vector and an auxiliary vector with a predetermined relationship with the first account based on the index of the first account in the target account set; and generates a first signature value C based on the indicator vector, the auxiliary vector and the first private key of the first account; wherein the target account set is identified by a corresponding public key sequence.
[0024] The first device calculates a first public key vector based on a first random number selected by the verification device and the public key sequence, and calculates a blinding value based on the first public key vector and a random array selected by itself.
[0025] The first device generates two vector polynomials and the result polynomial generated by their inner product based on the indication vector, the auxiliary vector, and the challenge array selected by the verification device, and generates a first set of commitment values based on the coefficients of the result polynomial.
[0026] The first device substitutes the variable value x selected by the verification device into the two vector polynomials and the result polynomial, and generates a second set of commitment values based on the calculation results of the substitution.
[0027] The verification device verifies whether the first account belongs to the target account set based on the first signature value, the first public key vector, the blinding value, and the first set of commitment values and the second set of commitment values.
[0028] According to one implementation, verifying whether a first account belongs to the target account set includes: calculating a first calculated value based on the second set of commitment values and the agreed generator; calculating a second calculated value based on the first set of commitment values and the variable value; and verifying whether the first calculated value is equal to the second calculated value.
[0029] According to one embodiment, verifying whether a first account belongs to the target account set includes: calculating a third calculated value based on the first signature value, a first verification vector, a first public key vector, the variable value, and the challenge array; calculating a fourth calculated value based on the first public key vector, an agreed generator, and the second set of commitment values; and verifying whether the third calculated value is equal to the fourth calculated value.
[0030] According to a third aspect, an anonymous authentication device is provided, deployed in a first device, comprising:
[0031] The first generation unit is configured to generate a binary indicator vector and an auxiliary vector having a predetermined relationship with the first account based on the index of the first account in the target account set; and generate a first signature value C based on the indicator vector, the auxiliary vector, and the first private key of the first account; wherein the target account set is identified by a corresponding public key sequence.
[0032] The second generation unit is configured to calculate a first public key vector based on a first random number selected by the verification device and the public key sequence, and to calculate a blinding value based on the first public key vector and a random array selected by the user.
[0033] The third generation unit is configured to generate two vector polynomials and the result polynomial generated by their inner product based on the indication vector, the auxiliary vector and the challenge array selected by the verification device, and to generate a first set of commitment values based on the coefficients of the result polynomial.
[0034] The fourth generation unit is configured to substitute the variable value x selected by the verification device into the two vector polynomials, and generate a second set of commitment values based on the calculation results of the substitution.
[0035] The first signature value, the blinding value, the first set of commitment values and the second set of commitment values are provided to the verification device for the verification device to verify whether the first account belongs to the target account set.
[0036] According to the fourth aspect, an anonymous authentication system is provided, comprising a first device and an authentication device, wherein:
[0037] The first device is configured to: generate a binary indicator vector and an auxiliary vector with a predetermined relationship to it based on the index of the first account in the target account set; generate a first signature value C based on the indicator vector, the auxiliary vector, and the first private key of the first account; wherein the target account set is identified by a corresponding public key sequence; calculate a first public key vector based on a first random number selected by the verification device and the public key sequence; calculate a blinding value based on the first public key vector and a random array selected by the user; generate two vector polynomials and the result polynomial generated by their inner product based on the indicator vector, the auxiliary vector, and the challenge array selected by the verification device; generate a first set of commitment values based on the coefficients of the result polynomial; and generate a second set of commitment values based on the calculation result by substituting the variable value x selected by the verification device into the two vector polynomials and the result polynomial.
[0038] The verification device is configured to verify whether a first account belongs to the target account set based on the first signature value, the first public key vector, the blinding value, and the first set of commitment values and the second set of commitment values.
[0039] According to a fifth aspect, a computing device is provided, including a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method of the first aspect or the second aspect.
[0040] In the embodiments described in this specification, the device containing the first account generates a signature value C, a blinding value S, and two sets of commitment values based on the first account's location in the target account set and its private key. These data are blinded and obfuscated with random numbers, ensuring that they do not reveal the first account's information (including its location ind and its private key). This allows the verification device to verify whether the first account belongs to the target account set without knowing which account the device represents, thus achieving anonymous authentication. Furthermore, the data size in the above proof process is relatively small, supporting distributed scenarios. Attached Figure Description
[0041] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0042] Figure 1 illustrates a ring signature-based authentication method in a blockchain.
[0043] Figure 2 shows a flowchart of an anonymous authentication method according to one embodiment;
[0044] Figure 3 shows a schematic diagram of the device in one embodiment;
[0045] Figure 4 shows a schematic diagram of an anonymous authentication system according to one embodiment. Detailed Implementation
[0046] The solution provided in this specification will now be described with reference to the accompanying drawings.
[0047] Ring signatures are an anonymous signing technique that allows a signer to sign without revealing their identity. A ring signature consists of a signer and a set of members, where anyone can be a member, but only the signer and one of the set's members know the signer's identity. Through ring signatures, the signer can prove to the outside world that they are a member of the set, but they cannot be identified as any specific member of the set.
[0048] Ring signatures can be applied to blockchain to achieve identity privacy protection within the blockchain. Figure 1 illustrates a ring signature-based authentication method in a blockchain. As shown in Figure 1, user u... s You can obfuscate your public key with a series of accounts u1,…,u on the blockchain. n public keys pk1, ... pk n Then, using his private key sk SA transaction is initiated and uploaded to the blockchain. The verifier, by verifying the ring signature, can determine that the signature originated from a specific user within the aforementioned account set, thus validating the transaction. However, the verifier cannot identify the specific user from whom the transaction originated, i.e., the identity of the transaction initiator remains unknown. Verified transactions can then be stored on the blockchain as evidence in the usual manner. In this way, ring signatures achieve both identity verification and identity concealment within the blockchain, i.e., identity verification under anonymity.
[0049] However, current ring signature schemes in the industry have some shortcomings. Some ring signature schemes result in large signature sizes. In distributed scenarios such as blockchain, signatures are stored across multiple nodes, leading to large signature sizes. Furthermore, in some ring signature schemes used by cryptocurrencies, the signature size is linearly related to the number of members in the confusion set, resulting in excessively large signature sizes and high storage costs. On the other hand, some ring signature schemes are not well-suited for distributed storage. In some existing technical approaches, the security definition of ring signatures requires a trusted third party to generate the private key, ensuring that no single participant can possess multiple private keys in the ring signature. This requirement is unattainable in distributed scenarios, making ring signature schemes based on this technical approach unsuitable for distributed scenarios such as blockchain.
[0050] In view of this, in the embodiments of this specification, a new ring signature implementation scheme is proposed. This scheme has a smaller signature size, supports distributed scenarios, and can efficiently realize anonymous identity proof and verification.
[0051] The process of implementing a ring signature protocol for anonymous authentication is described below with reference to the accompanying drawings. Figure 2 shows a flowchart of an anonymous authentication method according to one embodiment. As can be seen, the flowchart in Figure 2 involves a first device and an authentication device. The first device is a first account u. s The device in question. Assume the first account belongs to a target account set u1,…,u consisting of n accounts. n And it is hidden within this set of accounts. Furthermore, the target set of accounts uses its corresponding n public keys pk1,…pk n To identify them. The above n public keys are in a public state. Assume that the above n public keys are generated using the same elliptic curve generator g and their respective corresponding private keys, that is, any pk i satisfy: In the following text, this common generator g is referred to as the fundamental generator.
[0052] The verification device can be any device that verifies the ring signature. In a blockchain scenario, this verification device can be the device where the ledger node is located, but it is not limited to this. The specific implementation process of the ring signature protocol is described below.
[0053] In step 201, the first device generates a binary indicator vector and an auxiliary vector with a predetermined relationship to the first account based on the index of the first account in the target account set.
[0054] Specifically, the first device first determines the first account in the target account set u1,…,u n The sequence index in the target account set is the public key sequence (pk1, ..., pk1) corresponding to the public key of the first account. n The index or number in the sequence is denoted as ind. A binary indicator vector is generated based on this index ind. This indicator vector In the expression, the value at position ind is 1, and all other positions are 0.
[0055] In addition, based on the indicator vector Generate the corresponding auxiliary vector This makes the two satisfy the following relationship (1):
[0056] Then, in step 202, the first device generates a first signature value based on the aforementioned instruction vector, auxiliary vector, and the first private key sk of the first account.
[0057] In one embodiment, the first device can be located within a pre-defined integer ring. A random number α is randomly selected, and the first signature value C is calculated using the following formula (2):
[0058] In formula (2), sk is the private key of the first account, and h and g0 can be elliptic curve generators agreed upon with the verification device. and Both are generator vectors composed of n selected generators, i.e.
[0059] As can be seen, the first signature value C is based on the product of three data items, superimposed with h. α The random terms are generated, wherein the first data term is determined by the first target generator g0 as the base and the first private key sk as the exponent; the second data term is determined by the first generator vector. As the base, with the indicated vector The exponent is determined; the third data term is determined by the second generator vector. As the base, with the auxiliary vector The index is determined.
[0060] Formula (2) involves an exponential operation between vectors, which is defined as follows: vector a = (a1, ..., a2) NThe vector b = (b1, ..., b) N ) power is represented as
[0061] After generating the first signature value C as described above, in step 203, the first device can send the first signature value C to the verification device.
[0062] After receiving the first signature value, in step 204, the verification device randomly selects a random number from the aforementioned integer ring, hereinafter referred to as the first random number. Send the first random number d to the first device.
[0063] In step 205, the first device uses the first random number selected by the verification device and the aforementioned public key sequence (pk1,…pk) n ), calculate the first public key vector.
[0064] It can be understood that a public key sequence can correspond to an initial public key vector {pk1,…pk}. n In step 205, the first device can fuse the information of the first random number and the information of the aforementioned first generator vector into the initial public key vector, and blind it to obtain the first public key vector. In a specific example, the first public key vector can be calculated according to the following formula (3):
[0065] According to the above formula (3), we can first use the initial public key vector {pk1,…pk} n Using} as the base and the first random number d as the exponent, calculate the intermediate vector; then, combine the intermediate vector with the first generator vector {g1,…,g}. n Perform bitwise multiplication to obtain the first public key vector.
[0066] In step 206, the first device calculates the blinding value S based on the first public key vector and the random array selected by itself.
[0067] In this step, the first device itself selects some random numbers, including the first and second blinding vectors. random numbers Based on these random numbers and the first public key vector, a blinding value S is calculated. In one example, the blinding value can be calculated according to the following formula (4):
[0068] in,
[0069] According to formula (4), the calculation of this blinding value corresponds in form to the calculation of the first commitment value. Specifically, it can be calculated by superimposing h based on the product of the three data items.ρ The random terms are generated, and three of the data terms can be referred to as the fourth to sixth data terms. The fourth data term is generated by the second objective generator. Using the base number r, and the second random number r sk The exponent is determined; where the second objective generator is... The fifth data item is determined based on the aforementioned first target generator g0, the first random number d, and the basic generator g used to generate the public key sequence; the fifth data item is determined by the first public key vector. Using the first blinding vector as the base The exponent is determined; the sixth data item is determined by the second generator vector. As the base, with the second blinding vector The index is determined.
[0070] Due to the second objective generator The data is combined with information from the first target generator g0 and the second random number r. sk Corresponding to the first private key sk, it can be assumed that the fourth data item in the blinded value S corresponds to the first data item in the first signature value C. This is because the first public key vector... The first generator vector is integrated into the middle. The information is such that the fifth data item of the blinded value corresponds to the second data item of the first signature value C, and the sixth data item corresponds to the third data item of C. Thus, a blinded value that has been blinded and has a certain correspondence with the first signature value is obtained.
[0071] In step 207, the first device sends the aforementioned blinding value S to the verification device.
[0072] In step 208, after receiving the blinding value S, the verification device selects the challenge array (y, z) and sends it to the first device.
[0073] In step 209, the first device generates two vector polynomials and the resulting polynomial generated by their inner product based on the instruction vector, the auxiliary vector, and the acquired challenge array, and generates a first set of commitment values based on the coefficients of the resulting polynomial.
[0074] In one embodiment, the first device is based on an indication vector. Auxiliary vector Given the challenge arrays y and z, and introducing the aforementioned first and second blinding vectors and variable X, we obtain two vector polynomials. Specifically, this can be based on the indicator vectors. And the challenge array, introducing the first blinding vector The product of the first vector polynomial and the variable X yields the first vector polynomial; based on the auxiliary vector... And the aforementioned challenge array, introduce a second blinding vector. The product of the vector and the variable X yields the second vector polynomial.
[0075] In a specific example, the first vector polynomial l(X) and the second vector polynomial r(X) can be constructed according to the following formula (6):
[0076] in,
[0077] Correspondingly, the resulting polynomial t(X) can be expressed as:
[0078] t(X)=<l(X), r(X)>=t0+t1·X+t2·X 2 (7)
[0079] It should be noted that the indicator vector shown in formula (1) and auxiliary vector The relationship between them shows that for any random variable y and its corresponding... The following relation (8) also holds, that is, the relation in formula (1) can be rewritten as formula (8) below:
[0080] because It is 1 at only one position, therefore: Combining this with formula (8), we can obtain that, for any random variable z, the following formula (9) also holds:
[0081] Formula (9) can be equivalently transformed into:
[0082] As can be seen, the inner product on the left side of formula (10) is the inner product of the constant terms (i.e., the terms that do not contain the variable X) in the two vector polynomials shown in formula (6). Therefore, the right side of formula (10) corresponds to the constant term t0 in the result polynomial t(X), that is:
[0083] As can be seen, the constant term t0 of the resulting polynomial is only related to the challenge array (y,z), and is a value that the verification device can also calculate independently.
[0084] The coefficients t1 and t2 of the linear term in the resulting polynomial t(X) are related to both the challenge array and the first and second blinding vectors chosen by the user. The first device can then use the challenge array and the two blinding vectors... and Calculate the coefficient values of these two coefficients by taking their respective values.
[0085] Next, the first device calculates the first set of commitment values based on the coefficient values of the resulting polynomial. Specifically, the first commitment value T1 can be generated based on the calculated coefficient value t1 of the linear term and the locally generated third random number τ1; the second commitment value T2 can be generated based on the coefficient value t2 of the quadratic term and the locally generated fourth random number τ2.
[0086] In a specific example, the first and second commitment values can be generated as follows:
[0087] Where g is the basic generator and h is the auxiliary generator used to calculate the first signature value C and the blinding value.
[0088] Thus, the first device calculates the first set of commitment values based on the coefficients of the resulting polynomial. Then, in step 210, the first device sends the first set of commitment values T1 and T2 to the verification device.
[0089] In step 211, after receiving the first set of commitment values, the verification device randomly selects a variable value x and sends it to the first device.
[0090] In step 212, the first device substitutes the variable value x selected by the verification device into the two vector polynomials mentioned above, and generates a second set of commitment values based on the calculation results of the substitution.
[0091] In this step, the first device substitutes the variable value x into the aforementioned first vector polynomial l(X) and second vector polynomial r(X) to obtain two target vectors. and Right now:
[0092] Based on this, the first device calculates the inner product of the two target vectors mentioned above to obtain the result value. The result value This is equivalent to the result obtained by substituting the variable value x into the result polynomial t(X):
[0093] In addition, the first device generates a first verification value τ based on the aforementioned third random number τ1, fourth random number τ2, and variable value x. x τ x =τ2·x 2 +τ1·x (15)
[0094] In addition, the first device generates a second verification value η and a third verification value μ based on the variable value x, the first private key sk, and the random number selected by itself in the previous steps. Specifically, the second and third verification values can be generated as follows: η = -sk + r sk ·x μ=α+ρ·x (16)
[0095] The two target vectors calculated above and Result value First to third verification values τ x ,η,μ constitute the second set of commitment values.
[0096] In step 213, the first device sends the second set of commitment values to the verification device.
[0097] In step 214, the verification device verifies the first signature value C and the first public key vector. The blinding value S, along with the first set of commitment values and the second set of commitment values, are used to verify whether the first account belongs to the target account set.
[0098] Specifically, the verification equipment can first verify the result value in the second set of committed values. Whether it equals the dot product of the two target vectors, i.e., verification:
[0099] Obviously, if the first device performs the calculation according to the protocol, the above formula (17) should hold.
[0100] In one embodiment, the verification device further performs the following second verification process: The verification device calculates a first calculated value V1 based on the second set of commitment values and the agreed generator; calculates a second calculated value V2 based on the first set of commitment values and the variable value x; and verifies whether the first calculated value is equal to the second calculated value.
[0101] In a specific example, the first calculated value V1 is Where g is the aforementioned basic generator, and h is the aforementioned auxiliary generator. All of them are from the second set of commitment values sent by the first device, and t0 can be calculated by itself according to formula (11).
[0102] The second calculated value V2 can be set as follows: Both T1 and T2 are derived from the first set of commitment values sent by the first device.
[0103] The second verification process can be represented as:
[0104] It is understandable that if the first device performs calculations according to the agreement, then:
[0105] Therefore:
[0106] Substituting formula (20) into the exponent of the base g in the first calculated value V1, and substituting formula (15) into the exponent of the base h, and combining the definitions of T1 and T2 in formula (12), it can be demonstrated that if the first device performs the calculation according to the protocol, then relation (18) holds, that is, the first calculated value should be equal to the second calculated value.
[0107] In one embodiment, the verification device further performs the following third verification process. Specifically, the verification device verifies the first signature value C, the blinding value S, and the first public key vector. The third calculated value V3 is obtained by using the variable value x and the challenge array; in addition, it is also calculated based on the first public key vector. Using the agreed generator and the second set of commitment values, the fourth calculated value V4 is obtained; verify whether the third calculated value is equal to the fourth calculated value.
[0108] In a specific example, the verification device first generates a predefined metavector based on the value of y in the challenge array. Perform the transformation to obtain the transformed element vector. The transformation method can be represented as follows:
[0109] Based on this, the third calculated value V3 can be set as:
[0110] Wherein, C is the first commitment value and S is the blinding value, both of which are values received from the first device; Generate metavectors for the above transformations. The first public key vector can be calculated by the verification device according to formula (3), and (y, z) is the challenge array selected by the verification device.
[0111] Accordingly, the fourth calculated value V4 can be set as follows:
[0112] Where h is a pre-agreed auxiliary generator, Determined according to formula (5), Both η and η come from the second set of commitment values sent by the first device.
[0113] The third verification process can be represented as:
[0114] It's understandable that when the first device belongs to the target account set, there is a PK (player kill) situation. ind =g sk Substituting this relation, it can be demonstrated that if the first device performs the calculation according to the protocol, then relation (24) holds, meaning the third calculated value should be equal to the fourth calculated value. This achieves the authentication of the first account of the first device.
[0115] Reviewing the above process, the information generated and provided by the first device to the verification device—from the first signature value C and the blinding value S to the first set of commitment values and the second set of commitment values—does not reveal the information of the first account (including its location ind and its private key). Therefore, the verification device can verify whether the first account belongs to {pk1,…pk} without knowing which account the first device represents. n The target account set represented by} is used to achieve anonymous authentication.
[0116] In the above process, the components of the entire ring signature include as well as Therefore, the size is 2n+8 elements. Using Bulletproofs' inner product proof technique, the storage of ring signatures can be reduced to... This makes the data size of the ring signature logarithmic to the number of members n, greatly reducing the signature size.
[0117] Furthermore, it should be understood that Figure 2 illustrates an example implementation scenario of anonymous authentication, in which the first device interacts with the authentication device to obtain the challenge array and variable values, and provides it with data such as the signature value and commitment value in the ring signature. In another implementation scenario, the aforementioned anonymous identity verification can also be achieved through a non-interactive method.
[0118] Specifically, the verification device can specify some data generators, such as pseudo-random number generators, hash function-based generators, etc. Using the agreed-upon generator, based on the same data source, the same random numbers can be generated. Thus, when the first device needs to obtain the random number selected by the verification device in Figure 2, it can obtain the corresponding random number according to the data source and data generation algorithm specified by the verification device. For example, in step 205 of Figure 2, when the first device needs to obtain the first random number d, the first device can generate the first random number according to the specified first generator and the public first data source. The public first data source can be publicly available data in the blockchain system or the result previously calculated by the first device. For example, after the first device calculates the first commitment value C, it can use this calculated value as a random seed and input it into the pseudo-random number generator to obtain the first random number d. Similarly, in step 209, when the first device needs to obtain the challenge array (y, z), it can generate the challenge array (y, z) according to the specified second data source and second generator. The second generator can be the same generator as the aforementioned first generator or a different generator; this is not limited here. The second data source can be publicly available data within the blockchain system, or it can be the result of calculations previously performed by the first device, such as the first commitment value C and the blinding value S. Other random numbers that need to be selected by the verification device, such as the variable x, can also be obtained in the above manner. In this way, the first device obtains the random numbers selected by the verification device in a non-interactive manner and completes the ring signature.
[0119] Non-interactive methods save communication between devices and support scenarios with multiple verification devices. For example, a data source and generator can be agreed upon in the blockchain system. Thus, any verification device in the blockchain system can verify the ring signature generated by the first account. When a first random number is needed, the verification device generates a first random number d based on the agreed first generator and first data source. For example, the first signature value C is read, used as a random seed, and input into an agreed pseudo-random number generator to obtain the first random number. Since the generator and data source are the same, the verification device can generate the same random number as the first device. When a challenge array (y, z) is needed, the verification device similarly generates a challenge array based on an agreed second generator and second data source, which will not be elaborated further. The aforementioned verification devices can include, but are not limited to, various ledger nodes in the blockchain system. When a verification device is a ledger node, it can obtain the transaction issued by the first account and the generated ring signature. If the ring signature is successfully verified, the transaction issued by the first account is written into the blockchain. Other nodes in the blockchain system can also verify the ring signature when needed.
[0120] In this way, the first device does not need to interact with each verification device individually to generate a ring signature; instead, it generates a universal ring signature in a non-interactive manner and sends it to each node of the blockchain network and then publishes it on the blockchain chain. This allows any verification device to verify the ring signature during the process, better supporting distributed scenarios and further improving verification efficiency.
[0121] According to another embodiment, an anonymous authentication device is provided, deployed in a first device, which can be implemented as any device, platform, or computing cluster with computing and processing capabilities. Figure 3 shows a schematic diagram of the device in one embodiment. As shown in Figure 3, the device 300 includes:
[0122] The first generation unit 31 is configured to generate a binary indicator vector and an auxiliary vector with a predetermined relationship with the first account based on the index of the first account in the target account set; and generate a first signature value C based on the indicator vector, the auxiliary vector and the first private key of the first account; wherein the target account set is identified by a corresponding public key sequence.
[0123] The second generation unit 32 is configured to calculate a first public key vector based on a first random number selected by the verification device and the public key sequence, and to calculate a blinding value based on the first public key vector and the random array selected by the party.
[0124] The third generation unit 33 is configured to generate two vector polynomials and the result polynomial generated by their inner product based on the indication vector, the auxiliary vector and the challenge array selected by the verification device, and to generate a first set of commitment values based on the coefficients of the result polynomial.
[0125] The fourth generation unit 34 is configured to substitute the variable value x selected by the verification device into the two vector polynomials, and generate a second set of commitment values based on the calculation results of the substitution.
[0126] The first signature value, the blinding value, the first set of commitment values and the second set of commitment values are provided to the verification device for the verification device to verify whether the first account belongs to the target account set.
[0127] According to another embodiment, an anonymous authentication system is provided. Figure 4 shows a schematic diagram of an anonymous authentication system according to one embodiment, including a first device 41 and an authentication device 42. In one example, the first device 41 is the device containing a first account, which may be, for example, an account in a blockchain system. The authentication device 42 may be any device that needs to authenticate the first account.
[0128] Specifically, the first device 41 is configured to: generate a binary indicator vector and an auxiliary vector with a predetermined relationship to it based on the index of the first account in the target account set; generate a first signature value C based on the indicator vector, the auxiliary vector, and the first private key of the first account; wherein the target account set is identified by a corresponding public key sequence; calculate a first public key vector based on a first random number selected by the verification device and the public key sequence; calculate a blinding value based on the first public key vector and a random array selected by the user; generate two vector polynomials and the result polynomial generated by their inner product based on the indicator vector, the auxiliary vector, and the challenge array selected by the verification device; generate a first set of commitment values based on the coefficients of the result polynomial; and substitute the variable value x selected by the verification device into the two vector polynomials and the result polynomial, and generate a second set of commitment values based on the calculation result.
[0129] The verification device 42 is configured to verify whether a first account belongs to the target account set based on the first signature value, the first public key vector, the blinding value, and the first set of commitment values and the second set of commitment values.
[0130] The above anonymous identity verification system can confirm that the first account belongs to the target account set without exposing the specific account information of the first account.
[0131] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform the method executed in the first device and / or the verification device in FIG2.
[0132] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, it implements the method executed in the first device and / or the verification device in FIG2.
[0133] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using hardware physical modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program and "integrate" a digital system onto a PLD themselves, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must also be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also understand that by simply performing some logic programming on the method flow using one of these hardware description languages and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.
[0134] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0135] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or physical entities, or by products with certain functions. A typical implementation device is a server system. Of course, this application does not exclude the possibility that, with the future development of computer technology, the computer implementing the functions of the above embodiments can be, for example, a personal computer, a laptop computer, an in-vehicle human-machine interaction device, a cellular phone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or any combination of these devices.
[0136] While one or more embodiments of this specification provide the operational steps of the methods described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps listed in the embodiments is merely one possible order of execution among many steps and does not represent the only possible order. In actual device or end product execution, the methods shown in the embodiments or drawings may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even a distributed data processing environment). The terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, product, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, product, or apparatus. Without further limitations, the presence of other identical or equivalent elements in the process, method, product, or apparatus that includes the elements is not excluded. For example, the use of terms such as "first," "second," etc., is to denote names and does not indicate any particular order.
[0137] For ease of description, the above devices are described in terms of function, divided into various modules. Of course, when implementing one or more of these specifications, the functions of each module can be implemented in one or more software and / or hardware components, or a module that performs the same function can be implemented by a combination of multiple sub-modules or sub-units. The device embodiments described above are merely illustrative. For example, the division of units is only a logical functional division; in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection between devices or units, and may be electrical, mechanical, or other forms.
[0138] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in one or more blocks of the flowchart illustrations and / or one or more blocks of the block diagrams.
[0139] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means that implement the functions specified in one or more flowcharts and / or one or more block diagrams.
[0140] These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions specified in one or more flowcharts and / or one or more block diagrams.
[0141] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0142] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0143] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information by any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0144] Those skilled in the art will understand that one or more embodiments of this specification can be provided as a method, system, or computer program product. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0145] One or more embodiments of this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a particular task or implement a particular abstract data type. One or more embodiments of this specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0146] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, system embodiments are basically similar to method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments. In the description of this specification, the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of this specification. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described can be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification and the features of different embodiments or examples.
[0147] The above description is merely an embodiment of one or more embodiments of this specification and is not intended to limit the scope of these embodiments. Various modifications and variations can be made to these embodiments by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims.
Claims
1. An anonymous authentication method, performed by a first device, comprising: Based on the index of the first account in the target account set, generate a binary indicator vector and an auxiliary vector with a predetermined relationship to it. A first signature value C is generated based on the instruction vector, the auxiliary vector, and the first private key of the first account; wherein the target account set is identified by the corresponding public key sequence. Based on the first random number selected by the verification device and the public key sequence, calculate the first public key vector, and based on the first public key vector and the random array selected by the party, calculate the blinding value; Based on the indication vector, the auxiliary vector, and the challenge array selected by the verification device, two vector polynomials and the result polynomial generated by their inner product are generated, and based on the coefficients of the result polynomial, a first set of commitment values is generated. The variable value x selected by the verification device is substituted into the two vector polynomials, and a second set of commitment values is generated based on the calculation results of the substitution. The first signature value, the blinding value, the first set of commitment values and the second set of commitment values are provided to the verification device for the verification device to verify whether the first account belongs to the target account set.
2. The method according to claim 1, wherein, At least one of the first random number, the random array, and the variable value is received from the verification device; or, At least one of the first random number, the random array, and the variable value is generated according to the data source and generation algorithm specified by the verification device.
3. The method according to claim 1, wherein, The first account is an account in the blockchain system, and the verification device is the device corresponding to the accounting node in the blockchain. The method further includes the verification device verifying that the first account belongs to the target account set and writing the first transaction issued by the first account into the blockchain.
4. The method according to claim 1, wherein, The generation of the first signature value includes: The first signature value is obtained by multiplying the first data item, the second data item, and the third data item. The first data item is determined with the first target generator as the base and the first private key as the exponent; the second data item is determined with the first generator vector as the base and the indicator vector as the exponent; and the third data item is determined with the second generator vector as the base and the auxiliary vector as the exponent.
5. The method according to claim 4, wherein, Calculating the first public key vector includes: Using the initial public key vector corresponding to the public key sequence as the base and the first random number as the exponent, the intermediate vector is calculated; The intermediate vector is multiplied bitwise with the first generator vector to obtain the first public key vector.
6. The method according to claim 1, wherein, The random array selected by this method includes the first and second blinding vectors; Generating two vector polynomials includes: Based on the indicator vector and the challenge array, the product of the first blinding vector and the variable is introduced to obtain the first vector polynomial; Based on the auxiliary vector and the challenge array, the product of the second blinding vector and the variable is introduced to obtain the second vector polynomial.
7. The method according to claim 1, wherein, Generate the first set of commitment values, including: Calculate the coefficient value of the first term of the result polynomial based on the challenge array, and generate a first commitment value T1 based on the coefficient value of the first term and a locally generated third random number. The quadratic coefficient value of the resulting polynomial is calculated based on the challenge array, and a second commitment value T2 is generated based on the quadratic coefficient value and a locally generated fourth random number.
8. The method according to claim 1, wherein, Verifying whether the first account belongs to the target account set includes: The first calculated value is obtained based on the second set of commitment values and the agreed generators; The second calculated value is obtained based on the first set of commitment values and the variable values; Verify whether the first calculated value is equal to the second calculated value.
9. The method according to claim 1, wherein, Verifying whether the first account belongs to the target account set includes: Based on the first signature value, the blinding value, the first public key vector, the variable value, and the challenge array, the third calculated value is obtained; The fourth calculated value is obtained based on the first public key vector, the agreed generator, and the second set of commitment values; Verify whether the third calculated value is equal to the fourth calculated value.
10. A computing device comprising a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method of any one of claims 1-9.